June 2015

A California federal district court denied Uber’s motion to compel arbitration of its driver’s disputes concerning background checks, holding that the arbitration provisions in the drivers’ contracts were procedurally and substantively unconscionable. Mohamed v. Uber Technologies, No. C-14-5200 EMC (N.D. Cal. June 9, 2015). As an initial matter, the court found that delegation clauses contained in the drivers’ contracts, which purported to reserve the adjudication of the validity and enforceability of the contracts’ arbitration provisions to an arbitrator, were unenforceable because they were not clear and unmistakable and conflicted with other language in the contracts. The court also found that the delegation clauses were unconscionable, as they were buried in the lengthy contract, had an onerous opt-out provision, and imposed substantial arbitration costs and fees on the driver. The court then concluded, on similar grounds, that the arbitration provisions in the Uber contracts were procedurally and substantively unconscionable and therefore unenforceable under California law. The court further found that contractual provisions purporting to waive private attorney general claims were void as a matter of California law.

This year has seen a spate of updates to state data breach notification laws. The most recent state to join the trend is Connecticut, whose new legislation was signed into law by Governor Daniel Malloy on July 1, 2015 and went into effect on October 1, 2015. The updated law adds biometric data to the definition of personal information and sets a 90-day deadline for companies to report data breaches to affected residents as well as the state Attorney General. The amendments also require companies to provide victims with one year of identity theft protection, making Connecticut the first state in the country to require identity theft protection. California enacted a similar law this January, requiring a full year of protection if a business elects to offer credit monitoring.

Montana, Nevada, North Dakota, Washington, and Wyoming also all approved updates to their laws earlier this year. Common updates across these new pieces of legislation include expanded definitions of personal information, incorporating additional data elements beyond the historically included first name or first initial and last name in combination with social security number, drivers license number, or “account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account,” and required notification to the state attorney general.